The baffling part is why it takes hours for the npm security team to unpublish packages that contain malware, as attested by multiple independent sources? That should be able to happen in minutes.
The baffling part is why it takes hours for the npm security team to unpublish packages that contain malware, as attested by multiple independent sources? That should be able to happen in minutes.
It would take longer than minutes to validate the claims themselves.
Who vets the sources, and using what scheme?
If email matches owner of repo, pull now. If not verified, ban and restore later.